CVE-2026-44673: libyang Integer Overflow Leads to Heap Corruption

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitybuffer-overflowcwe-190
CVE-2026-44673: libyang Integer Overflow Leads to Heap Corruption

The National Vulnerability Database has detailed CVE-2026-44673, a high-severity integer overflow vulnerability in libyang, a critical library for YANG data modeling. Specifically, the lyb_read_string() function in src/parser_lyb.c is susceptible prior to version SO 5.2.15. This flaw allows a maliciously crafted LYB binary blob to trigger a heap buffer overflow.

Attackers can exploit this by supplying specially designed LYB data to any libyang consumer. This includes common infrastructure components like NETCONF servers or sysrepo instances. The immediate impact is a denial-of-service via application crash, but the potential for heap corruption opens the door to more severe consequences, including arbitrary code execution if an attacker can reliably control memory writes.

Given libyang’s foundational role in network device management and configuration, this vulnerability is not trivial. While no specific affected products are listed by the National Vulnerability Database, any system relying on libyang for YANG data parsing is inherently at risk. Defenders must identify their exposure to libyang and prioritize patching to version SO 5.2.15 to mitigate this threat.

What This Means For You

  • If your organization utilizes NETCONF servers, sysrepo, or any application consuming YANG data via libyang, you need to assess your environment for CVE-2026-44673 exposure. Verify that libyang is updated to at least version SO 5.2.15 immediately. This isn't just about crashes; heap corruption can be a stepping stone for sophisticated attackers to achieve remote code execution.

Related ATT&CK Techniques

T1204.002 Malicious File Initial Access T1505.003 Server Software Component Persistence

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1204.002 Execution

CVE-2026-44673: libyang LYB Heap Corruption via Malicious Blob

Sigma YAML — free preview 
title: CVE-2026-44673: libyang LYB Heap Corruption via Malicious Blob
id: scw-2026-05-14-ai-1
status: experimental
level: high
description: |
  Detects the execution of libyang-related processes (like NETCONF servers or sysrepo) that are attempting to parse a LYB binary blob using the vulnerable lyb_read_string function. This indicates a potential exploitation attempt of CVE-2026-44673, leading to heap corruption.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44673/
tags:
  - attack.execution
  - attack.t1204.002
logsource:
    category: process_creation
detection:
  selection:
      Image|contains:
          - 'libyang'
      ParentImage|contains:
          - 'NETCONF'
          - 'sysrepo'
      CommandLine|contains:
          - 'lyb_read_string'
      condition: Image AND ParentImage AND CommandLine
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44673 Buffer Overflow libyang library, versions prior to SO 5.2.15
CVE-2026-44673 Memory Corruption libyang library, lyb_read_string() function in src/parser_lyb.c
CVE-2026-44673 DoS Parsing maliciously crafted LYB binary blob in libyang

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 15, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver

CVE-2026-6811 — Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the...

vulnerabilityCVEmedium-severitycwe-674
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 4 Sigma

CVE-2026-45248 — The GET /Api/V1/Demo/Registered-Users Endpoint That Authentication Bypass

CVE-2026-45248 — Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information....

vulnerabilityCVEmedium-severityauthentication-bypasscwe-306
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 3 Sigma

ZITADEL LDAP Filter Injection Exposes Usernames, Attributes

CVE-2026-44671 — ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity...

vulnerabilityCVEhigh-severityauthentication-bypasscwe-90
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 3 Sigma